CVE-2026-53777
Deferred Deferred - Pending Action

Path Traversal in Perry Build Server

Vulnerability report for CVE-2026-53777, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: VulnCheck

Description

Perry before 0.5.1159 contains a path traversal vulnerability that allows a malicious build server to write arbitrary content to any location writable by the running process by supplying unsanitized path components in the artifact_name field of ArtifactReady WebSocket messages. Attackers controlling the server URL can deliver traversal payloads through the artifact_name or download_path fields, causing the client to overwrite sensitive files or expose arbitrary local files to an attacker-accessible location.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
perryts perry to 0.5.1159 (exc)
perryts perry 0.5.1159

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

CVE-2026-53777 allows a malicious build server to write arbitrary files or read sensitive local files on the victim's system by exploiting path traversal vulnerabilities in the Perry tool. This can lead to unauthorized access or modification of sensitive data.

Such unauthorized access or exposure of sensitive files could potentially violate data protection regulations and standards like GDPR or HIPAA, which require strict controls over the confidentiality and integrity of personal and sensitive information.

Therefore, if exploited, this vulnerability could result in non-compliance with these regulations due to data breaches or unauthorized data manipulation.

Executive Summary

CVE-2026-53777 is a path traversal vulnerability in Perry versions before 0.5.1159. It occurs because the 'perry publish' command trusts server-controlled fields, specifically 'artifact_name' and 'download_path', without properly sanitizing them. A malicious build server can supply crafted path components containing traversal sequences (like '../../') that allow writing arbitrary files to any location writable by the Perry client process or reading arbitrary local files.

This vulnerability enables attackers controlling the build server URL to overwrite sensitive files or expose local files to attacker-accessible locations by exploiting unsanitized path components in ArtifactReady WebSocket messages.

Impact Analysis

This vulnerability can have serious impacts including unauthorized arbitrary file writes and reads on the victim's system. An attacker can overwrite critical files such as SSH authorized keys, potentially gaining persistent access, or expose sensitive local files like AWS credentials by manipulating the download path.

The attack requires no privileges or user interaction beyond running 'perry publish' against a malicious or compromised build server, which can happen through a malicious pull request or compromised CI pipeline.

Overall, it can lead to system compromise, data exposure, and unauthorized access, posing a high security risk.

Detection Guidance

This vulnerability involves path traversal via unsanitized artifact_name and download_path fields in ArtifactReady WebSocket messages processed by the perry publish command. Detection involves monitoring for suspicious or unexpected file writes or reads outside the intended output directories, especially paths containing traversal sequences like "../" or absolute paths.

You can inspect logs or network traffic for ArtifactReady WebSocket messages containing suspicious artifact_name or download_path values with traversal patterns.

While no specific commands are provided in the resources, general detection steps include:

  • Search for files created or modified outside expected directories by Perry, especially those with names containing '..' or absolute paths.
  • Use file integrity monitoring tools (e.g., tripwire, AIDE) to detect unexpected file changes.
  • Monitor network traffic or logs for WebSocket messages with suspicious artifact_name or download_path fields.
  • Check CI pipeline configurations for untrusted or malicious build servers that could exploit this vulnerability.
Mitigation Strategies

The primary mitigation is to upgrade Perry to version 0.5.1159 or later, where the vulnerability has been fixed by sanitizing artifact_name and restricting download_path usage.

Additional immediate steps include:

  • Avoid running perry publish commands against untrusted or potentially malicious build servers.
  • Review and restrict CI pipeline configurations to prevent malicious pull requests from setting unsafe server URLs in perry.toml.
  • If upgrading immediately is not possible, monitor and audit file writes and reads triggered by Perry to detect exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53777. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart